Although Amazon would probably prefer that its customers operate exclusively within the Amazon Web Services (AWS) cloud, relatively few organizations actually do that. Most still maintain resources on-premises and in competing cloud platforms. As such, organizations must consider how workloads running on-premises can best access data that's being hosted within the AWS cloud. One solution for doing so is to create an AWS storage gateway.

An AWS storage gateway uses an AWS cloud service in conjunction with a virtual appliance that runs on-premises. Collectively, these components provide the on-premises workloads with access to AWS cloud storage.

As a best practice, it's a good idea to get started by creating an endpoint. Creating an endpoint allows you to confine the storage gateway to your virtual private cloud. The other option is to make the gateway public, but that option introduces various security risks.

To create a Virtual Private Cloud (VPC) endpoint, log into the AWS console, and then choose VPC from the list of services (it's in the Networking and Content Delivery section). Next, click on the Endpoints tab, and then click on the Create Endpoint button.

The screen shown in Figure 1 prompts you to select the service category you want to use. Choose the AWS Service option. Next, choose com.amazonaws.<region>.storagegateway as the service name. You can see an example of this in Figure 1.

Now, scroll down and choose the VPC that you wish to use. Make note of its availability zone and subnet. Scroll down a bit more and then choose the security group that you wish to use. Remember that in AWS, a security group is a firewall, so you're essentially selecting a firewall. Regardless of whether you use the default selection or use an existing security group, there are several TCP ports that will need to be open. These ports include: 443, 1026, 1027, 1028, 1031 and 2222. Once you've selected a security group, click Create Endpoint to create your VPC endpoint.

When you create a storage gateway, one of the steps in the process involves selecting the type of storage that the gateway will service. One of the most common use cases is that of making object storage (file storage) accessible to on-premises resources. If this is your intention, then you're going to need to create an S3 endpoint in addition to the endpoint that you have already created.

The steps involved in creating the endpoint are very similar to the steps that I just showed you, but there are some key differences. As was the case before, you will need to begin the process by clicking on the Create Endpoint button. This will take you back to the screen that was shown in the previous figure. This time, though, you'll need to choose the com.amazonaws.<region>.s3 service. You can see what this looks like in Figure 2.

[Click on image for larger view.]Figure 2. You will need to choose the S3 service.

Now here is where the process really begins to differ from what you did before. Rather than selecting a VPC and a security group, you'll need to select a VPC and one or more routing tables within that VPC. When you create the endpoint, a route will be created within the routing table, thereby making it possible to access the endpoint. You can see what this portion of the process looks like in Figure 3.

The last part of this process involves configuring an access policy. You can either provide full access to the users and services within the VPC, or you can define a custom policy. I recommend using the Full Access option unless you have a compelling reason to create a custom policy.

Now, click on the Create Endpoint button and the S3 endpoint will be created.

Once you close out of the interface, you'll be taken back to the Endpoints tab on the VPC dashboard. Both of your endpoints should be listed on this screen. Make note of the endpoint IDs, because you'll need to reference them later on when you create the storage gateway. I'll walk you through the gateway creation process in the second part of this series.

About the Author

Brien Posey is a 16-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.